Microsoft today released updates to sew up at least seven vulnerabilities in Windows and other software. The sole “critical” update in the bunch patches a particularly dangerous flaw in all supported versions of Windows that allows attackers to seize control over vulnerable systems remotely without authentication.
The critical update plugs two security holes in Microsoft’s Remote Desktop Protocol (RDP), a service that is designed to let administrators access Windows systems remotely over a network. The saving grace for these vulnerabilities — which are present in Windows XP, Vista and 7, and Windows Server 2003, and 2008 — is that RDP not enabled by default on standard Windows installations. That means it is far more likely to be a threat to businesses than to consumer systems.
“It needs to be configured and started by the system’s owner, which then makes the vulnerability accessible; consequently we expect that only a relatively small percentage of machines will have RDP up and running,” said Wolfgang Kandek, chief technology officer for vulnerability management firm Qualys.
Dave Marcus, director of advanced research and threat intelligence at McAfee Labs, said this bulletin should be considered a top priority, noting that Microsoft has rated its “exploitability index” as 1, meaning that Microsoft expects working exploits to be available in fewer than 30 days.
“An unauthenticated remote code execution is pretty much as bad as it gets,” Marcus said.
For users and organizations that need time to evaluate the RDP patch before installing it, Microsoft has developed and released a FixIt tool to enable “Network-Level Authentication,” which according to the company is an effective mitigation for this issue.
The remainder of today’s updates address three other Windows vulnerabilities, and problems in Microsoft Expression Design and Microsoft Visual Studio.
For a breakdown of the patches, see Microsoft’s Security Bulletin Summary for March 2012. The fixes are available through Windows Update. As always, if you experience any problems or issues updating, please leave a note about your experience in the comments below.
- Hacked Via RDP: Really Dumb Passwords
Businesses spend billions of dollars annually on software and hardware to block external cyberattacks, but a shocking number of these same organizations shoot themselves in the foot by poking gaping holes in their digital defenses and then advertising those vulnerabilities to attackers. Today’s post examines an underground service which rents access to hacked PCs at organizations that make this all-too-common mistake.